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@ Methods for control data base updating of a redundant processor in a process control system. 



© A process control system (10) includes a pro- 
cess controller (20) which has a first and second 
controller, one of the controllers (30) being des- 
ignated as a primary controller and the other control- 
ler (40) being designated as a secondary controller. 
Each controller has a respective d^ta base (32, 42). 
The primary controller performs predefined control 
functions of the process control system which in- 
cludes updating the data base associated with the 
primary controller as a result of performing the 
predefined control functions. A method for updating 



the data base associated with the secondary control- 
ler comprises the steps of performing the control 
functions. Results therefrom are utilized to update 
the data base associated with the primary controller. 
Simultaneously with updating the data base, pre- 
determined information being stored in the primary 
data base is collected. At the completion of perform- 
ing the control functions, the predetermined informa- 
tion which was collected is transferred to the secon- 
dary controller. 
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BACKGROUND OF THE INVENTiON 

This invention relates to a method for maintain- 
ing consistency between a primary data base and 
a secondary image of the data base of a one on 
one redundant processor in a process control sys- 
tem, and more particularly, to a method for tracking 
changes to a primary data base and effecting a 
change to a secondary data base such that only 
predetermined areas changed are updated thereby 
achieving an increase in efficiency to perform the 
update function. 

Process Control Systems with backup process 
controllers such as described and claimed in U.S. 
Patent No. 4.133,027. issued to J. A. Hogan on 
January 2. 1979, and U.S. Patent No. 4.141.066, 
issued to Y. Keiles on February 20, 1979, include a 
backup controller having a dedicated Random Ac- 
cess Memory (RAM) and a dedicated Read-Only 
Memory (ROM). The back-up controller is essen- 
tially idle or can be doing some background tasks, 
but not tasks relating directly to the process control 
function. Upon detection of a failure of one of the 
primary process controllers, the data stored in the 
RAM of the failed controller must be transferred to 
the RAM of the backup controller to perform the 
operations of the primary controller. These systems 
describe a 1 :N redundancy system. 

In the present invention there is provided a 
method, in a 1:1 redundancy system, whereby the 
data base of a secondary device (ie., secondary or 
backup controller) is updated periodically such that 
the updating process is transparent to the primary 
functions and does not tie-up (or penalize) CPU or 
processor performance and utilizes a minimum 
amount of time. The method of the present inven- 
tion updates only the information which was 
changed, resulting in a more efficient use of the 
CPU or microprocessor, and allows the updating 
process to be performed more frequentiy. on a 
real-time basis, and makes it practical to track 
large quantities of data so that control dynamics 
are not affected on a fai lover. Thus, when a fai lover 
condition occurs, the time to get the secondary 
controller to take over for a failed primary controller 
is substantially reduced as well as being less of an 
impact to the process under control. 

SUMMARY OF THE INVENTION 

Therefore, there is provided by the present 
invention, a method for controlling the maintenance 
(ie. updating) of a data base in a redundant control- 
ler of a process control system. A process control 
system includes a process controller which has a 
first and second controller, one of the controllers 
being designated as a primary controller and the 
other controller being designated as a secondary 



controller. Each controller has an image of the data 
base, wherein the primary controller acts upon and 
updates the data base, and the secondary control- 
ler maintains an equivalent image of ttie data base. 

5 The primary controller performs predefined control 
functions of the process control system which in- 
cludes updating the data base associated with the 
primary controller as a result of performing the 
predefined control functions. A method of the 

10 present invention for updating the data base asso- 
ciated with the primary controller comprises the 
steps of performing the control functions. Changes 
therefrom are utilized to update the data base 
associated with the secondary controller. 

15 Simultaneously with updating the data base, pre- 
determined information being stored in the primary 
data base is collected. At the completion of per- 
forming the control functions, the predetermined 
information is transferred to the secondary control- 

20 ler, thereby updating the data base of the secon- 
dary controller 

Accordingly, it is an object of. the present in- 
vention to provide a method for maintaining the 
data base of a redundant controller of a process 

25 control system. 

It is another object of the present invention to 
provide a method for maintaining the data base of 
a redundant controller wherein only predetermined 
changes are updated. 

30 It is stilt another object of the present invention 

to provide a method for maintaining the data base 
of a redundant controller of a process control sys- 
tem without significantly impacting CPU or micro- 
processor performance in the primary controller. 

35 These and other objects of the present inven- 

tion will become more apparent when taken in 
conjunction with the following description and at- 
tached drawings, wherein like characters indicate 
like parts, and which drawings form a part of the 

40 present application. 

BRIEF DESCRIPTION OF THE DRAWINGS 



Figure 1 shows a block diagram of a process 
45 control system having a redundant controller; 

Figure 2 shows a time allocation which defines a 
cycle of the controller; 

Figure 3 shows a partial memory map of the 
primary memory of the controller of the pre- 
50 ferred embodiment of the present invention; 

Figure 4 shows the packet format of the cap- 
tured data in the preferred embodiment of the 
present invention; and 

Figure 5 shows a flow diagram of the software of 
55 both the primary and secondary controllers 
which implements the method of the present 
invention. 
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DETAILED DESCRIPTION 

Referring to Figure 1, there is shown a block 
diagram of a process control system 10 having 
redundant controllers which utilizes the method of 
the present invention, and more specifically there is 
shown a functional block diagram of a redundant 
process controller 20 which includes a primary 
controller 30 and a secondary controller 40. Al- 
though in the description which follows and the 
identification given to the controllers, the primary 
controller 30 and the secondary controller 40, the 
controllers are bidirectional with respect to redun- 
dancy, meaning that either of the redundant (or 
sometimes referred to herein as secondary) con- 
trollers can operate fully as a primary or secon- 
dary. The labels identified herein as primary and 
secondary are done strictly for purposes of iden- 
tification and explanation. 

The process control system 1 0 includes a plant 
control network 1 1 and connected thereto is a data 
highway 12 which permits multiple process control- 
lers to be attached to the data highway 12. The 
primary controller 30 includes a primary processor 
31, a primary memory 32. and a primary tracking 
unit 33. The secondary controller 40 includes a 
secondary processor 41, a secondary memory 42, 
and a secondary tracking unit 43. The primary 
processor 31 and the secondary processor 41 are 
each connected to the data highway 12. Primary 
processor 31 is connected to its primary memory 
32 and its primary tracking unit 33. The secondary 
processor 41 is connected to its secondary mem- 
ory 42 and its secondary tracking unit 43. Coupled 
to the process controller 20 are various inputs and 
outputs including analog inputs (A/I), analog out- 
puts (A/0), digital inputs (D/I), and digital outputs 
(D/0). these inputs and outputs being connected to 
various valves, pressure switches, pressure 
gauges, thermocouples,. ..which are used to indi- 
cate the current information or status and to control 
the process of the process control system. The 
plant control network 1 1 can be of the type de- 
scribed in U.S. Patent No. 4,607,256 issued to R. 
A. Henzel on August 19. 1986. and assigned to the 
same assignee as the present application. Although 
not shown, it is understood that the various analog 
and digital inputs and outputs are connected via 
appropriate interface apparatus to the primary pro- 
cessor 31 and the secondary processor 41 . 

Within the process controller 20, the deter- 
mination of which controller 30. 40 is to be the 
primary or secondary, is determined by a down- 
load control personality (ie., operating software and 
data base information) from the plant control net- 
work 1 1 . At that time the first controller loaded 30, 
40 will be the primary controller and the other will 
take the role of the secondary controller 40, the 



controllers 30, 40 of the process controller 20 hav- 
ing already being identified as the primary control- 
ler 30 and the secondary controller 40 in the Figure 
1. for purposes of description and example; how- 

5 ever, it will be understood that the primary control- 
ler could have been the controller 40 and the 
secondary controller could just as well have been 
the controller 30. Having thus established the 
primary/secondary roles of the controllers 30, 40. 

10 the primary controller 30 performs the control pro- 
cessing algorithms, which include reading the input 
data from the valves, pressure gauges perform- 
ing predetermined calculations and outputting the 
results. The data is also stored in the primary 

75 memory 32. There is an area of the primary mem- 
ory 32 that is designated as tracked memory (or 
tracked RAM). A write to this area. ie. the tracked 
RAM will be shadowed by the primary tracking unit 
33. The primary tracking unit 33 stores predeter- 

20 mined data simultaneously with the writing of 
tracked RAM into its own internal storage unit (not 
shown) in a predetermined format, denoted herein 
as packets. Upon completion of its processing 
function for a given time interval, the primary pro- 

25 cesser 31 transmits control signals to the primary 
tracking unit 33 thereby initiating transfer of the 
data stored within the primary tracking unit 33 to 
the secondary tracking unit 43. Some control in- 
formation is also transferred by the primary proces- 

30 sor 31 to provide for secure transfer, ie., header 
information, byte count, data type The secon- 
dary processor 41 then takes the data stored in the 
secondary tracking unit 43 and generates the re- 
quired information from the information packets 

35 stored in the secondary tracking unit 43. and up- 
dates the secondary memory 42. The secondary 
processor 41 accepts these packets, performs in- 
tegrity tests and communicates the results of these 
tests back to the primary processor 31 , extracts the 

40 data value, and calculates the address to store the 
data value in the address identified within the in- 
formation packet of the secondary memory 42. By 
performing the update of the secondary memory in 
this fashion, the performance penalty in the primary 

45 processor 31 is greatly reduced thereby increasing 
the control processing capacity (sometimes re- 
ferred to herein as bandwidth) of the primary pro- 
cessor 31. A further advantage of this method is 
that all the control data is automatically tracked, 

50 resulting in more robust control and in significantly 
reduced chances of software errors. The CPU uti- 
lized in processor 31, 41, in the preferred embodi- 
ment is of the type Motorola 68000. 

Referring to Figure 2 there is shown an alloca- 

55 tion of time utilized by the primary processor 31 . In 
the preferred embodiment of the present invention, 
a cycle is defined as a time period of one second 
and is divided into eight subcycles. Each subcycle. 
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the processor performs the predetermined algo- 
rithms as mentioned above (referred to in Rgure 2 
as point processing). The time required for the 
point processing is less than the time of the sub- 
cycle. Before starting the point processing, the 
primary processor 31 initiates the transfer of the 
tracked data to the secondary controller 40 
(denoted in the figure as DBA data transfer). From 
this time frame diagram, it can readily be seen that 
the data contained in the data base of the secon- 
dary controller 40 is one step (ie.. subcycle) behind 
the data contained in the data base of the primary 
controller 30. Thus, while the primary is performing 
control action (ie., point processing) for sub-cycle 
n, the secondary is updating its data base with 
changes incurred in sub-cycle N-1 . (In systems 
where every write to the primary memory gets 
written to the secondary memory, then the primary 
and secondary will retain the same data base. 
However, if an error were to occur, ie.. a failure 
during the transmission the partial byte then both 
the primary and secondary would have partial byte 
data, ie.., the same incomplete data.) In the present 
invention, as has been mentioned before, the sec- 
ondary data base will have complete data but is 
one step behind that of the primary. Other func- 
tions can be performed within the time of the sub- 
cycle. In the preferred embodiment, outside data 
stores from other nodes on the network is also 
performed, but will not be discussed further herein 
since it forms no part of the present invention. 

Referring to Rgure 3 there is shown a partial 
memory map of the primary memory 32. Included 
is the scan data which contains the actual value of 
the I/O as read from the valves, pressure 

gauges The section marked configuration data 

includes information indicating the options which 
were selected, how points are configured, what 
algorithms are running, and the like. The section 
indicating process data to be backed up includes 
the results of the algorithms. Also included is in- 
formation to indicate various functions going on 
such as various timers which are set. various 

alarms which are set The area of memory mark 

DBA Data is the area of primary memory 32 (ie., 
RAM) that is designated "tracked memory." A write 
to this area of primary memory 32 will be collected 
(or also referred to herein as shadowed or cap- 
tured) by the primary tracking unit 33. The data 
collected by the primary tracking unit 33 is for- 
matted in a predefined packet. 

Referring to Rgure 4, there is shown the format 
of the packet generated by the primary tracking 
unit 33 in the preferred embodiment of the present 
invention. The upper and lower data strobe values 
indicate the value of the least significant address 
bit. and the most significant five address bits can 
be assumed (ie., known implicitly) due to the layout 



of the tracked memory. The tracked memory pack- 
et is built for every write (byte or word) to the 
tracked memory but only while memory tracking is 
requested. An important feature of the primary 

5 tracking unit 33 is that there is essentially no per- 
formance penalty in writing to the tracked memory, 
as discussed above. 

Tracked data packets are stored in a memory 
store unit (not shown) of the primary tracking unit 

10 33. The three word packets are not stored sequen- 
tially, but in column format. The primary tracking 
unit stores the packets based on a counter (not 
shown) of the primary tracking unit 33. which is 
incremented by one whenever a packet is stored. 

75 This counter is readable by the primary processor 
31 in order to ascertain the quantity of data to be 
transferred. The primary tracking unit 33 is more 
fully described in co-pending application. Serial No. 
, entitled "APPARATUS FOR TRACKING 

20 PREDETERMINED DATA FOR UPDATING A SEC- 
ONDARY DATA BASE," filed on even date here- 
with, and assigned to the same assignee as the 
present application. 

Referring to Figure 5 there is shown a flow 

25 diagram of the software of both the primary and the 
secondary controllers 30, 40 which implements the 
method of the present invention. Upon starting the 
operation of the software, each processor performs 
the required initialization, which may include di- 

30 agnostic tests, self tests, zeroing various buffers 
and memory locations. ..(block 100). Each proces- 
sor then determines whether the processor is op- 
erating as a primary or secondary processor. This 
determination is made at the time the controller has 

35 its personality image downloaded. The decision is 
based on the presence of a primary (block 105). if 
the processor determines it is to operate as a 
primary processor then this controller will periodi- 
cally test for the existence of an operationally load- 

40 ed secondary as part of the primary's normal func- 
tions (block 110). When the secondary is detected, 
the entire data base is transferred to the secondary 
processor (block 115). and the primary processor 
31 then proceeds to perform the control operation 

45 (block 120). The perform control function includes 
the entire control function, ie., everything related to 
control. This includes obtaining inputs, doing the 
output function, doing the point processing, pro- 
cess the changes coming in from the data highway 

50 12, outputting required predetermined information 
to the plant control network 1 1 via the data highway 
12, updating its internal data base,.... The perform 
control function is performed during the subcycle 
indicated as point processing discussed in conjunc- 

55 tion with Rgure 2 above. When the perform control 
function has been completed, the changes to the 
data base are then transferred to the secondary. 
The change data is predetermined and denoted 
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DBA data (block 125). In the protocol of the present 
invention the secondary responds to the primary 
that all the data has been received and that no 
errors were detected in addition to performing oth- 
er functions which indicates to the primary that the 
secondary is operating correctly. This function cor- 
responds to the determination of whether the sec- 
ondary is functioning properly (block 130). If the 
secondary is performing properly without any er- 
rors, the process returns to the performed control 
function (block 120). In a normal situation without 
any errors and with a secondary operational, the 
loop consisting of block 120, 125, and 130, are 
continuously operating each subcycle. If an error of 
the primary is detected by the secondary, a 
failover condition will occur in which the secondary 
controller 40 becomes the primary, and the primary 
controller 30 is taken off-line. The processing of the 
secondary controller 40 (which is now the primary 
controller) performs the control function block 135 
and then returns to block 110. If the former primary 
controller 30 is still off-line, the response to the 
decision in block 110 of whether there is a secon- 
dary will be no, and the loop comprising blocks 
135 and 110 will be performed continuously until 
such time as the former primary controller 30 is 
made operational. Because either controller 30, 40 
may operate as the primary controller, switchback 
to the old primary when it has been restored is 
neither required or desired in the preferred em- 
bodiment of the present Invention. 

After the initial start and initialization, when the 
controller determines it is to operate as the secon- 
dary controller (block 105), the secondary controller 
sets up to receive the entire data block which will 
be transmitted from the primary (block 140) the 
entire data block including the scan data and con- 
figuration data which includes the personality im- 
ages specified by the plant control network 1 1 . In 
order to help effect the failover the secondary 
controller tests whether there is a primary oper- 
ational (block 145). If no primary Is operational, 
then the secondary controller assumes a primary 
state or mode (block 150), becomes the primary 
controller and the processing continues at block 
110. If a primary controller is operational, the con- 
troller operating as a secondary controller sets up 
to receive, and receives the changes to the data 
base which are transferred by the primary as a 
result of the transfer changes (block 125) function 
of the primary controller (block 155). After the 
changes are received, the processor acting as a 
secondary processor acts to store the data just 
received in the data base of the secondary proces- 
sor by interpreting the data packets in the secon- 
dary tracking unit and writing the new values con- 
tained in these packets in the secondary memory 
42. ie., secondary data base. An indication is made 



by the secondary processor to the primary proces- 
sor when the secondary processor has completed 
processing all the data packets (eg., sets a flag). 
The primary processor tests the flag to determine if 

5 the secondary has completed its processing. If the 
primary processor requests a new transfer while 
the previously transferred data is still being stored 
by the secondary, the secondary can respond by 
requesting the primary to pause its request. Thus 

10 as mentioned above, the secondary processor in- 
terpreting and storing the data packets of sub-cycle 
N-1 received from the primary processing occurs 
in a subcycle N while the primary is performing 
segment N, ie., the data stored in the data base of 

75 the secondary processor is lagging the data within 
the data base of the primary processor by one 
subcycle, as discussed above. The secondary pro- 
cessor then sets up to receive data. The secondary 
processor is essentially in a standby mode, ie.. 

20 performing various background task, such as diag- 
nostics to monitor its own readiness. 

The primary and secondary controllers 30, 40 
can communicate to each other via three mediums, 
the data highway 12, the link 13 between the 

25 primary and the secondary tracking units 33, 43, 
and the I/O link (not shown, this link is the path to 
which the primary processor 31 and the secondary 
process 41 are connected in order to interface with 
the M, A/0, on, and D/O). Via these communica- 

30 tion paths, the primary controller 30 can ensure 
that the secondary controller 40 is present and 
operational, and the secondary controller can test 
that the primary controller is operational in order to 
determine when it (ie.. the controller designated as 

35 the secondar/) is to assume the primary status (or 
mode). 

While there has been shown what is consid- 
ered the preferred embodiment of the present in- 
vention, it will be manifest that many changes and 
40 modifications can be made therein without depart- 
ing from the essential spirit and scope of the inven- 
tion. It is intended, therefore, in the annexed claims 
to cover all such changes and modifications which 
fall within the true scope of the invention. 

45 

Claims 

1. A method of operating a process control sys- 
tem (10) having a process controller (20). said 

50 process controller including a first and second 

controller, one of said controllers being des- 
ignated as a primary controller (30) and the 
other being designated as a secondary control- 
ler (40). each controller having a corresponding 

55 image of a data base (32, 42), and wherein the 

primary controller is performing predefined 
control functions of the process control systenn 
which includes updating the data base asso- 
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dated with the primary controller as a result of 
performing the predefined control functions, 
the method being characterised by updating 
the data base (42) associated with the secon- 
dary controller (40) comprising the steps of: 

a) performing the control functions; 

b) updating the data base (32) associated 
with the primary controller (30); 

c) collecting predetermined information be- 
ing stored in the primary data base simulta- 
neous with the step of updating; and 

d) at the completion of the steps of perform- 
ing and updating, transferring the predeter- 
mined information to the secondary control- 
ler. 

2. A method according to Claim 1, characterised 
in that the step of collecting predetermined 
information comprises the steps of: 

a) capturing predetermined information be- 
ing stored in the primary data base (32); 

b) formatting the captured predetermined 
information into packets having a predefined 
format; and 

c) storing the information packets into a 
temporary, predetermined storage element. 

3. A metfiod according to Claim 1 or 2. charac- 
terised by further comprising the step of: 
(after the step of transferring the predeter- 
mined information) verifying that the secondary 
controller is still functional. 

4- A method according to any preceding Claim 
characterised in that in said secondary control- 
ler (40). said method further comprises the 
step of: 

receiving the predetermined information. 

5. A method according to Claim 4, characterised 
in that the step of receiving the predetermined 
information comprises the steps of: 

a) accepting the predetermined information; 

b) performing integrity tests on the pre- 
determined information accepted; 

c) extracting the data value from the pre- 
determined information; 

d) calculating the address to store the data 
value; and 

e) updating the data base (42) associated 
with the secondary controller (40). 

6. A method according to Claim 5, characterised 
in that the steps of e)ctracting the data value, 
calculating the address, and updating the data 
base associated with the secondary controller, 
occur during a sub-cycle N on data which was 
derived by the primary controller during a sub- 



cycle N-1- 

7. A method according to any preceding Claim, 
characterised by updating the data base (42) 

5 associated with the secondary controller com- 

prising the steps of: 

a) performing a predefined control function; 

b) updating the data base (32) associated 
with the primary controller (30) as a result of 

10 performing the predefined control function; 

c) capturing predetermined information be- 
ing stored in the primary data base (32) 
simultaneously with the step of updating; 

d) repeating steps (a) through (c) until all 
75 the predefined control functions have been 

performed; and 

e) transferring the predetermined informa- 
tion captured in step (c) to the secondary 
controller. 

20 

8. A method according to Claim 7 characterised 
by further comprising the steps of: after step 
(e). starting at step (a) to repeat the process at 
the start of the next subcycle. 

25 

9. A method according to Claim 8. characterised 
in that the step of starting at step (a), com- 
prises the steps of: 

a) verifying that the secondary controller 
30 (40) is still functional; and 

b) if the secondary controller (40) is still 
functional; 

i) starting at step (a) to repeat the pro- 
cess at the start of the next subcycle; 

35 otherwise 

ii) entering a new loop which performs 
the predefined control function, and 
checks if the secondary controller is 
functional. 

40 

10. A method according to any preceding Claim, 
characterised in that the step of collecting pre- 
determined information comprises the steps of: 

a) capturing predetermined information be- 
45 ing stored in the primary data base; 

b) formatting the captured predetermined 
information into packets having a predefined 
format; and 

c) storing the information packets into a 
50 temporary, predetermined storage element. 

11. A method for operating a process controller, 
having an operational controller (30) and a 
backup controller (40), the operational control- 

55 ler and the backup controller each having an 

image of a data base (32. 42). tiie method 
characterised by updating the data base (42) 
associated with the backup controller (40) 
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comprising the steps of: 

a) performing predefined control functions 
by the operational controller (30), the 
predefined control functions including the 
performance of calculation and algorithm; 5 

b) updating the data base (32) associated 
with the operational controller, with the re- 
sults of the calculations and algorithms per- 
formed in step (a); 

c) collecting predetermined information be- lO 
ing stored in the data base of the oper- 
ational controller simultaneously with the 

step of updating, thereby increasing the 
bandwidth of the operational processor; and 

d) at the completion of the step of perform- 15 
ing, transferring the predetermined informa- 
tion collected in step (c) to the backup 
controller, the backup controller being in a 
standby mode ready to receive said pre- 
determined information. 20 
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